Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowOCTOBER 6, 2025
Silent Lynx is a new APT group with an espionage focus in Central Asia. Silent Lynx was sighted for the first time in late 2024 and has been active to date in 2025. It has likely operated from Kazakhstan but has targeted Kyrgyzstan and Turkmenistan, along with a few other Central Asian neighbors.
Silent Lynx is organized mainly as a espionage threat actor with an apparent regional focus, and is one of the few APT groups we see that use loaders in multiple stages, PowerShell, and Golang implants to breach high value targets ultimately to acquire sensitive information and data.
• Attribution: Formerly a Kazakhstan based actor – with operations in various Central Asian countries.
By the exhibits it has demonstrated with its operations, Silent Lynx has a focus on the regional geopolitics and financial intelligence of Central Asia using espionage, with campaigns more targeted on the economic structures and agencies of decision making.
Silent Lynx follows a multi-stage attack chain which incorporates social engineering and technical sophistication:.
• Dec 2024: UNESCAP-themed spear-phishing against the National Bank of Kyrgyz Republic. The ISO file included a C++ loader and PowerShell RAT controlled via Telegram bots.
• Jan 2025: Phishing campaign leveraging the Ministry of Finance; the RAR archive dropped a Golang reverse shell implant, calling home to 185.122.171[.]22:8082.
• 2025 (ongoing): Wider espionage operations expanding to Turkmenistan targeting ministries, banks, and think tanks.
– Late 2024: Initial detected, ISO-based phishing campaigns.
– Dec 2024: Financial institution targeting in Kyrgyzstan using a multi-stage PowerShell RAT.
– Jan 2025: Golang-based implants delivered in Kyrgyz state-sponsored targeting.
– 2025: Expansion of operations to Turkmenistan and regional SPECA member states.
This threat actor, Silent Lynx, has established a trajectory of rapid change in their toolbox and infrastructure; from C++ loaders and PowerShell scripts to hybrid Golang implants.
This group uses Telegram as their C2 and for exfiltration, which is both non-standard and effective given their ability to remain inconspicuous in the area. There is overlap with another actor YoroTrooper (SturgeonPhisher) that has been conducting similar operations targeting CIS states with PowerShell and Golang malware.
Silent Lynx is an emerging espionage actor in Central Asia that is developing a high level of sophistication and regional focus. They can exploit vulnerabilities of the region (open access), and relied upon accounts and trusted communication themes.
They are positioned to continue their intelligence collection against governments, primarily Kyrgyzstan and Turkmenistan, as well as banking institutions, and more.
Defensive Takeaways
• Enhance Phishing prevention – invest in filtering ISO/RAR file attachments, and train users on decoy lures.
• Monitor for C2 traffic using Telegram, this is uncommon for most enterprise environments.
• Identify outbound connections to known infrastructure (pweobmxdlboi[.]com; 185.122.171[.]22).
• Look for log entries and SIEM alerts for Base64 PowerShell Executions.
• Regional entities should be considering threat intelligence products focused on Central Asia, as they are likely to change the face of the campaign.
You can download and review the sheet for all the details!
Take control of your digital security with an exclusive demo of our powerful threat management platform.
